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a serv^ice is provided by a modified 
pager which calculates a unique re- 
sponse code to a transmitted chal- 
lenge code based on the challenge 
code, an input personal identification 
number, and an internal key. The re- 
sponse code is input to a simple ter-* 
minal, such as a telephone and if the 
unique response code is acceptable, 
the user may access the desired ser- 
vice, such as cashless transacdons or 
long distance phone service. 
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^DSER :au.thent.ication :kethod :and :apparatds 

BACKGROUND OF THE INVENTION 
:i) Field of the 'Invention 

The present invention involves a method and an apparatus 
5 for authentication of a user attempting to access an electro- 
nic service, and, in particular, providing an authentication 
unit which is separate from preexisting systems . 

2) Description of Related Art 

Effective authentication methods and apparatuses have 

10 been in great demand to prevent fraud and theft of services. 
This demand increases with the explosion of electronic 
services in the current information age. Electronic services 
such as , banking services, credit card services, automatic 
teller machine (ATM) services, account information services 

15 such as mortgage, savings and investment accounts, general 
information services such as data base services and networks, 
security services and long distance, phone services all require 
that a user be accurately identified for purposes of security, 
proper billing and avoidance of fraud. Recently, fraud in the 

20 cellular mobile telephone industry has placed so great a 
demand on effective authentication methods that a protocol has 
been standardized for cellular mobile systems. See, GSM 
03.20, European Telecommunications Standards Institute 
(ETSI), 1993, pp- 19-29 and U.S. Patent No . 5 , 282 , 250, herein 

25 incorporated by reference. 

However, conventional authentication systems have 
required specially equipped terminals with card readers such 
as ATMs or credit card gas station terminals, data terminals 
using a log-in procedure, or cellular mobile radio stations 

3 0 with built-in authentication capabilities. Credit cards 
having a magnetic strip provide only minimal security insomuch 
as the bearer of the card is usually permitted to conduct 
transactions without further authentication of the user's 
identification other than perhaps comparing a unauthenticated 
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signature rori vthe -card ±0 ra :signature raf ±:he ^user.. '.Even in 
transactions when .-signatures rare required, -the certainty of 
the user's identification is .minimal. 

Other identity cards, such as ATM cards., require a log-on 
5 procedure with a password, or PIN. But the PIN, once learned 
-by an unauthorized user, offers no security in authenticating 
the user if the user can duplicate the ATM card. 

These methods of authentication require specially 
equipped, and often dedicated, terminals, which raises the 

10 cost cind reduces the availability of the associated electronic 
service. In other words, the. prior art security systems often 
require a dedicated or customized terminal or modification to 
existing terminals, which greatly restricts the use of 
security systems to specific sites- Also, a user may use 

15 several electronic services, each service requiring an 
authentication procedure and/or personal identification 
number (PIN) or password, each procedure or password different 
from the others. As a subscriber to several electronic 
services, a user might end up with numerous passwords to 

2 0 remember. Even worse, he or she may be required to change 

these passwords periodically, thus having to remember if a 
password is still valid or not. 

Also, transactions requiring relatively certain authen- 
tication have been largely unavailable from relatively simple 
25 terminals like telephones. For instance, home banking by 
telephone has been, limited to transactions involving the bank 
customer's own accounts or using only the customer's own 
telephone. 

SUMMARY OF THE INVENTION 

3 0 The present invention overcomes these and other problems 

by providing an authentication procedure wherein the user 
carries a personal unit not limited to use with or physically 
connected to a terminal of any one specific electronic 
service. The personal unit can be used to authenticate a 
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luser'^s fidentity through. a variety of terminals .associated -with 
:a variety :Df electronic services.. 

The personal unit .includes a receiver for receiving a 
transmitted challenge code and an algorithm unit .which 
'5 processes the challenge code, a user input such as a personal 
identification nuinber (PIN) or electronically recognizable 
signature, and an internally stored security key for cal- 
culating a response code according to a pre-stored algorithm. 
The response code is then sent to the service node and, if it 

10 is acceptable, access to the service is authorized. 

The basic method involves receiving a challenge code from 
a system, the user inputting a personal identification number 
or other recognizable input, and the personal unit generating 
. a response code based on an internally stored algorithm. The 

15 PIN or other user input may be changed from time to time, and 
the challenge code and the response is unique for each 
transaction. The personal unit may receive and store a 
plurality of challenge codes for later use. 

The personal xmit can be used with virtually any existing 

20 terminal of an electronic service without requiring the 
terminal to be modified or customized. For instance, the 
personal unit can be used with a standard telephone, whether 
a radio telephone or land-line: telephone. The user can input 
the response code displayed on the personal unit through the 

25 telephone keypad or the personal \init can include a DTMF 
transmitter for direct input of the response code into the 
microphone of the telephone. It follows that the keypad of 
any service terminal (e.g., a data terminal connected to a 
service computer) can be used to input the response, code. If 

30 some other input device is used in a terminal, such as an 
acoustic input, a inductively coupled input, an optical input, 
radio transmitter (particularly if the terminal is by-passed 
and the response code is transmitted directly to the authen- 
tication center), etc., the personal unit can include a 

35 compatible output device. In other words, the personal unit 
can be modified or equipped to be compatible vith existing or 



'WO 96/00485 



:PCr/SE95/00719 



'4 . 

.perspective terminals, xather ithan :having 'to Tmodify the 
terminals to .suit vfche authentication procedure. 

The .same basic .authentication ;procedure -.can .be -used for 
all services the user might wish to engage, the procedure 
5. being modifiable to .suit any specific requirements of the 
electronic service. The user may have one personal unit for 
all the services he may wish to subscribe to, or several 
personal xinits, each unit being usable with one or a sxibset of 
services to which the user has subscribed. . 

10 BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will now be described with refe- 
rence to the attached drawing figures in which: 

Figure 1 is a schematic diagram of an authentication 
pager system in accordance with the present invention; 
15 Figure lA is a schematic diagram of an authentication 

pager system with reference to specific communications in 
accordance with the present invention; 

Figrure 2 is a perspective view of a personal unit in 
accordance with the present invention; and 
20 Figure 3 is a flowchart outlining the authentication 

process in accordance with the present invention. 

DETAmiD DESCRIPTION OF THE PREFERRED EMBODIMENTS 
Hardware of the System 

Referring to Figure 1, the present invention includes a 

25 personal unit 20 for generating a response code, a terminal 22 
for initiating service access and conducting service, and for 
inputting the response code to a service access network 24 or 
directly to a separate authentication center 30. The service 
access network transmits data between the terminal 22 and a 

3 0 service node 26. The service node 2 6 generates a challenge 
code and requests that the challenge code be sent to the 
personal unit 20 via an authentication challenge network 28. 
Alternatively, the separate authentication center 3 0 can 
generate the challenge code upon request by the service node 
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26. 'The '.terminal :22 -can ':be -a land-line ±elephone,, a radio 
telephone, -an /ATM, .a -computer with <a .modem iCmodulator/demodu- 
Tator) , :a .facsimile :machine, or virtually .any other -type of 
terminal capable of receiving an input directly or indirectly 
5 from the personal unit and relaying information to -.a service 
node 26. 

The ser-vice' node 2 6 may 'be any form of electronic 
service, such as banking or financial services , credit card 
services, long distance telephone services, information 

10 services, etc. The type of service provided is not germane to 
the present invention. One of the advantages of the personal ; 
unit of the present invention is that it can be used for 
authenticating the user of any service. 

In an exemplary embodiment, the authentication center 

15 30, whether separate or as part of the service node 26, 
includes a radio transmitter, storage for one or more al- 
gorithms, and a comparator to compare the received response 
code to an expected response code. The authentication center 
3 0 can be realized in the form of additional software, added to 

2 0 a preexisting pager system or other radio communication- 

system. The separate authentication center 30 enables many 
service nodes or networks to use one authentication center 30. 
This permits changes in the authentication procedure to be 
done at one location, for all applications and permits one 
25 authentication procedure to be used for more than one service, 
and perhaps all services to which a user has subscribed. 

The service access network 24 can be in the form of any 
communication system, such as a public or private telephone 
network, telegraph, or other land-line system, cellular radio 

3 0 telephone network, or other radio communication network. The 

form of the service access network 24 can be in any form 
capable of transmitting information from the terminal 22 to 
the service node 26.. The service access network 2 4 in some of 
the examples provided below is in the form of a preexisting 
3 5 telephone network. 
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*.The 'authentication chaTlenge network 28 -can be the same 
network as 'the ^service ,access network 24., or preferably a 
distinct and separate network. The authentication challenge 
■.network 28 can be any communication system, such as a public 
5 or private telephone network, telegraph, or other land-line 
system, cellular radio telephone network, or other radio 
communication network. The authentication challenge network 
28 can be in any form capable of transmitting information from 
the service node 26 (or authentication center 30) to the 

10 personal unit 20. In one embodiment, the authentication 
network is a preexisting wide area pager system capable of 
broadcasting a personal unit identification nximber and 
additional information, such as at least one challenge code. 
Exiting pager systems which can transmit at least the tele- 

15 phone number the user is being prompted to call have suf- 
ficient capabilities to function with the personal unit 
disclosed herein. Any form of radio communication system can 
provide the optimum security offered by the present invention 
because only a specific receiver properly generate the 

20 expected response when the proper PIN or the like is input. 
However, the user can be required to manually input a chal- 
lenge code provided over an interactive service access network 
24. - 

In the exemplary embodiment of Figure 2, the personal 
25 unit 20 includes a receiver unit 21a for receiving the 
challenge code, and an algorithm unit 21b, operatively 
connected to the receiver unit 21a and pref ercOjly including an 
input device for receiving a user input, such as a security 
number, e.g. , a PIN (Figure 2) . The receiver unit 21a can be 
3 0 in the form of a pager having a digital display capable of 
displaying a caller's telephone number or the like. The 
personal unit 2 0 can be essentially a conventional pager which 
is modified to include, for example, a receiver 21b, an input 
keypad 21c and optionally a dual tone multi- frequency (DTMF) 
3 5 generator 2 Id (if automated input of the displayed response 
code is preferred where the terminal 22 is connected to some 
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.form .of /audio iCoini!iiiiiicat.ions .network).. The personal unit 120 
■.may Include a transmitter :21f in :an cembodiment where the 
service access network includes ^an radio upliiik, or where the 
response code is directly sent to the authentication center 3.0 
5 or service node 26. The algorithB 'unit 21b calculates a 
response code in accordance with the received challenge code, 
an appropriate input security number and optionally a secret 
key (a secret number or code provided by the supplier of the 
personal unit) entered into storage in the personal unit at 

10 the time of subscription. Algorithms of this type are known 
in the art or readily derived therefrom. See, GSM 03.20, 
Appendix C.2, algorithm A3, for example. The specific 
algorithm used in a given embodiment is not germane to the 
present invention- A memory 21e is provided to store the 

15 algorithms, the secret key, received challenge codes and 
computer programming as a specific embodiment makes ex- 
pedient. The pager unit may be microprocessor driven. 

This provides a triple check on the identity of the user, 
requiring information from three separate sources (user: PIN, 

2 0 service node or authentication center: challenge code, and 

provider of the personal unit: secret key) , thereby increasing 
the relative security of the transaction against fraud or 
other unauthorized use. 

In a preferred embodiment, the personal \init is a 
25 separate unit, thereby minimizing or avoiding the need to 
customize a communication device such as a cellular telephone. 
The receiver unit, input device, and the capacity for perfor- 
ming the necessary calculations exists in conventional 
cellular telephones and personal communication units, 

3 0 allowing the present invention to be implemented through 

software. 

The challenge code can either be unique to a given 
transaction or broadcast, for exsimple, to all such personal 
units in use at a given time. The response code is to be 

3 5 UTiicrue to each transaction in either scenario- Also, in 
- either scenario, the challenge codes should be changed on a 
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:periodic or a :randoin basfs to provide additional security for 
•transactions. Similarly, the user input, . such as a PIN, can 
•be updated at the user's, discretion or on a regular basis. 
:Even the algorithm can be changed from time to time, :or more 
'5 '.than one algorithm can be stored in the personal unit 20, 
which can be either cyclically used in a predetermined order 
or changed after a predetermined number of uses. As long as 
the authentication center 30 can determine what algorithm, 
what secret key (if used) , and what user input should have 
10 been used for a given transaction, the user can be authen- 
ticated. 

The algorithm unit 21b calculates a response code based 
oh the received challenge code, the user input (e.g., PIN), 
and optionally the secret key. Thus, for a correct response 

15 code to be generated, the challenge code, the user input and 
the secret key (if used) have to be in accordance with the 
expectations of the service node 26 or authentication center 
30 if access to the service is to be granted. The service node 
26 or the authentication center 30 is provided with enough 

20 information to be able to anticipate the proper response code. 
Thus, for a transaction to be authorized, the user must know 
the appropriate user input (e.g., PIN), be in possession of 
the correct personal unit and receive the appropriate chal- 
lenge code. 

25 A conventional twelve button (0-9, * and #) keypad 21c is 

preferable provided for inputting the user input as shown in 
Figure 2. Alternatively, a reduced or expanded keypad can be 
used with lesser or greater security being afforded thereby. 
A character recognition device which can recognize a signature 

30 or other writing can be used for the user input device. Also, 
fingerprint or retinal scanner can be used for added security 
in appropriate situations. 

For example, the challenge code may have 10 decimal 
digits, the secret key has 12 decimal digits, the PIN has 4 

3 5 decimal digits, and the response code has 8 decimal digits. 
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. Authentication Process 

.A luser initiates ;a -service .^access ^through ^terminal :22 ;by 
transmitting -the request over a .service access :netvark '24 'to 
a service .node 26. The service node .26 does not immediately 
5 initiate the services offered. Rather, it generates a 
challenge code or causes a challenge code to be generated in 
an authentication center 30. The/ challenge code is sent over 
an authentication challenge network .28 to the personal unit. 

When the personal unit 20 receives an authentication 
10 challenge code, it prompts the user to input a PIN or other 
identifying information, and generates a response code by an 
algorithm having the challenge code, an internal security code 
and the PIN as variable. Alternatively, several challenge 
codes can be received and stored in the personal unit, and the 
15 user prompted for the user input when attempting access to an 
electronic service. The user inputs a PIN, for example, via 
a keyboard. However, known character recognition devices can 
be used to recognize a signature, or writing generally, which 
is input on a pad via a stylist. Other possibilities include 

2 0 a finger print or retinal scan devices, though the expense of 

these devices makes a practical embodiment less likely except 
for transactions requiring the highest form of security. 

The internally stored algorithm then generates a 
response code based on the challenge code, the user input, and 
25 optionally a secret key. 

The response code is either displayed on a display 20a 
(Fig. 2) for manual input to terminal 22, or electronically, 
acoustically or optically input to terminal 22 which then 
transparently tramsmits the response code over the service 

3 0 access network 24 to the service node 26. Alternatively or 

additionally, the response can be transmitted over the 
authentication network 28 to the authentication center 3 0 
which. then may send the response to the service node 26, or 
compare the response to the expected response and forv^ard the 
3 5 result to the service node 26. If the response code is 
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acceptable, •the service node 26 permits the user to access the 
"services offered. The response code is compared to an 
expected response code, which, in exemplary embodiments, may 
be pre-stored or generated using the same algorithm and 
5 variables. Because the communication links in the authen- 
tication challenge network, and perhaps the service access 
network may suffer from noise (e.g., radio interference) , some 
tolerance may be given in the result of the comparison. In 
other words , the response code and the expected* response code 

10 do not have to be exactly the same to gain access to the 
service, particularly when using an analog, rather than a 
digital, transmission format. 

With reference to the flow chart of Figure 3, an exemp- 
lary authentication process begins at step SIO where a user 

15 initiates communication to a service node 2 6 via the service 
access network 24 . This can be as simple as picking up the 
telephone and dialing an appropriate telephone number, which 
may be pre-stored in the personal unit. At step S12, the 
process may include entering a user number or identity, such 

20 as used for a data service. As shown at step S14, the service 
access network 24 transparently communicates an access 
request from the user to the service node 26. The service 
node 26, in response to the access request, requests authen- 
tication via an authentication challenge network 28 by sending 

25 a challenge code (either generated in a separate challenge 
center 30 or in the service node 26) to the user's personal 
unit 20, as shown at step S18. Alternatively, one or more 
challenge codes can be sent to the personal unit in advance. 
The personal unit 2 0 may display a prompt to prompt the user 

3 0 to input, for example, a security code, such as a PIN, or the 
terminal 22 may provide the prompt. Upon entry of the user 
input, the algorithm unit 21b of the personal unit 20 cal- 
culates and sends a response code either to the display or to 
a dual tone multi-frequency generator, or both. Other output 

3 5 devices can be used, such as radio wave (e.g. , radio transmit- 
ter or transceiver), infrared, visible or ultraviolet 
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-generators /(•ev>g-.„ 3^D'*:S<or:-semiconduct:ar 'lasers;),, ^electrical- 
ly inductive ?coupl:ers ((£e..:g.,, .induction tcoi'ls'),, :or :fonns of 
acoustic devices other '-than ..a DTMF generator.. 

:The -user then either manually inputs .the displayed 
5 response code to the terminal 22, or the personal unit .20 
directly inputs the response code in the case of a different 
type of output device. For example, when a dual tone multi- 
frequency (DTKF) generator is used with a communication 
system, the user presents generated tones to a microphone of 

10 such a system. 

The service access network 24 transparently transmits 
the response code to the service node 26, which determines 
whether it is acceptable. If the authentication center 30 
performs the comparison of the received response code to the 

15 expected response code, the service node 26 will transmit the 
response code to the authentication center 30- Alternatively, . 
the personal unit can send via radio transmission the response 
directly to the authentication center 30 and the authen- 
tication center 30 can inform the service node 2 6 of the 

20 results. If the response code is not acceptable, the user's 
access to the service is denied and the process returns to 
either initiating the entire process or re-requesting the 
identification information. Optionally, the system can 
disable the personal unit if a predetermined number of denied 

25 access attempts occur or if the personal xinit 2 0 has been 
reported as stolen. 

If the response code is acceptable, the service is 
accessed and the user can perform the desired, available 
functions through the service node. 

3 0 With reference to Figure lA, the basic procedure is 

"examined with reference to specific, numbered communications 
of an exemplary embodiment. 

(1) . ENTER USERID: PTOEXAN. 

(2) Service node receives request for a service from 
3 5 PTOEXAN. This USERID is connected to Patent and 

Trademark Office Examiner Andersson. Service node 
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sends a reguest :far :authent:ication: "Please 
authenticate this user: Examiner Andersson." 

(3) Challenge code is sent to Examiner Andersson 's 
authentication pager. 

5 (4) ENTER PASSWORD, which is sent to the data terminal 

from the service node. 

(5) Examiner Andersson enters PIN number to activate 
calculation of response code in personal unit. 
Response code is shown on the display of the per- 

10 sonal unit, and then manually input to the data 

terminal. Alternatively, the response code can be 
sent via a radio link directly, to the authen- 
tication center. 

(6) The response code is sent from the service node to 
15 the authentication center. 

(7) Authentication center compares the received res- 
ponse to the expected response and sends a message 
to the service node informing node authen- 
ticated/not authenticated. 

2 0 (8) Authentication approved/ not approved to the user. 

As a concrete example of the present invention, a home 

banking application will be described. In this application, 

the intention is to transfer money from the owner's account to 

a different account, such as a creditor's account. The user 

25 can pay his bills at home using a telephone and a personal 

unit. In this example, all. authentication steps performed by 

the user are manual. The resulting dialogue is as follows: 

User: Initiates a telephone call by cal- 

ling a payment service telephone 
30 number of a bank. 

Bank: "Enter your account number." 

User: "4219231459^f . " 

Bank: "Please enter the following digits 

into your authentication unit - 1, 

3 5 2, 3, 2, 8" (challenge code). Al- 

ternatively, if the challenge code 
is broadcast or previously stored 
in the personal unit, then this 
step is skipped. 

4 0 "Please enter your personal iden- 

tification number." 
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'User.: ;Enters his PIN .into 'the ;personal 

xinit . '.The [personal unit presents a 
.challenge .response., e.g..., 192B3746, 
.on '.the personal *unitVs display. 
5 The user enters "19283746" on the 

telephone keypad. 

. Bank: "Enter account number of account to 

receive payment. " 

User: "4313950678#- " 

10 Bank: "Account of Ms. Jane Doe, Anytown, 

USA. Enter amount. " 

User: "$500.00." 

Bank: "$500,00 is credited to the account 

of Ms. Jane Doe. Transaction refe- 
15 rence nxmber 123456." 

User: Hangs up. 

This procedure may be complicated by routines for 

interrupting if an error has occurred, routines for handling 

more than one transaction during a single call, routines for 

20 using another home telephone, etc. 

A second exemplary procedure involves charging for long 

distance calls using a special service node (SSN) - In this 

example, the authentication is provided when charging a long 

distance call through a long distance telephone company. 

25 User: The special service node telephone is, 

e.g., with the prefix 900, followed by 
the long distance telephone number to be 
called, e.g., 900 555-1212. 

SSN: "Give ID and challenge response." 

30 User: Enters PIN into a personal unit (which 

has received a radio transmitted chal- 
lenge code) and the personal unit pre- 
sents a challenge response on its dis- 
play, e.g., "19283746." A button is then 

35 pressed and the personal unit's speaker 

is held against a microphone of the 
telephone giving an acoustical DTMF 
output to the SSN, e.g., 
"#0859032843119283746^" which includes 

40 a personal identity number and followed 

by- a response to the challenge code. 
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SSN: Authenticity of the xesponse code ;is ^checked 
and, if acceptable, the connection :is ;provi- 
ded. 

The same personal unit can be used for both the above 
5 transactions. A more automatic transaction can be implemen- 
ted. For instance, the personal unit may include a receiver 
and a DTMF transmitter., in which case, the user merely 
initiates access to a service and at a prompt inputs a user 
input, such as a PIN. 

10 To avoid waiting for the paging system to transmit 

challenges over a wide area paging network, for example, it is 
possible to transmit several (e.g., three) challenge codes 
which are stored in the personal unit 2 0 until used -when a PIN 
is entered to generate a response code. The response code 

15 subsequently generated is not to be used more than once if 
repeating an entry due to error. 

The authentication center 3 0 can determine when to 
provide additional challenge codes to a personal unit via a 
radio signal, because it receives the responses in order to 

20 perform the authentication. Alternatively, if the service 
node 26 receives the responses, the service node 26 requests 
the authentication center 30 to send the next expected 
response to the service node 26, so that the authentication 
center can coiint the number of generated/ used response codes. 

25 As stated previously, an authentication center 3 0 may be 
combined with a service node 26 or may be independently 
located and used by several service nodes. 

The present invention can be implemented for any suitable 
service node 26 using existing networks without significant 

3 0 costs by setting up appropriate data exchanges between 
existing networks and service nodes. The response code may be 
used for authentication using any terminal in any networks, 
provided the terminal is capable of transmitting data. The 
response code may be sent via the authentication network 28 

35 (e.g:, via a radio signal). 

According to one embodiment of the present invention, a 
method for authentication is provided which can be used for 
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.-an electronic^services subscribed by a -user without requiring 
numerous passwords to be -.remembered. To achieve this, the 
authentication .network 30 is connectable to all electronic 
networks or service nodes 26.. When a user addresses a 
5 particular -service node 26, requesting a service, the service 
node 26 sends a request for authentication to the authen- 
tication center 30. At reception of the request for authen- 
tication of a user, the authentication center 30 generates a 
challenge code which is sent to the user via the service node. 
10 26. The user nay then Banually input the challenge code and 
a user input, such as a PIN, into his . personal unit, to 
receive a response code, shown on the display of the personal 
unit 20. The response may then be manually input to the 
terminal 22 used for accessing the service. An authenticity 
15 check may then be performed" either by the authentication 
center 30 or by the service node 26. 

The challenge code may also be sent to the personal unit 
via radio from the authentication center 30, or sent as DTMT 
tones, for example via a PSTN telephone. The response code 
20 may also be sent to the authentication center 30 via radio or 
sent as DTMF tones, for. example via a PSTN telephone. 

This authentication method does not require any changes 
to existing terminals. The method allows the response code to 
be sent to the node performing the authenticity check in a way 
25 suitable to the service application. The PIN code used to 
activate the calculation of a response in the personal unit is 
the only "password" or PIN that must be memorized by the user. 

The present invention may, of course, be carried out in 
other specific ways than those set forth herein without 
30 departing from the spirit and the central characteristics of 
the invention. The present embodiments are, therefore, to be 
considered in all respects as illustrative and not restric- 
tive, and all changes coming within the meaning and the 
equivalency range of the appendant claims are intended to be 
3 5 embraced herein. 
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' WHAT 'IS VLKTKET) TS: : 

;a method :f or ;authenticating »a .prospective user of 
an electronic rservice, the user having a [.personal unit, said 
method comprising the :steps of : 
5 transmitting a challenge code; 

receiving said challenge code in said personal 

unit7 

generating, in said personal unit, a response code 
based on an algorithm having at least said challenge code and 
10 a user input as varieJDles; 

generating an output code comprising said response 
code suitable for input to a terminal physically located at 
said user's location but separate from said personal unit, 
said terminal being operatively connected to said electronic 
15 service; 

comparing said response code with an expected 
response code ; and 

permitting access to said electronic service only 
when a result of said comparison step is acceptable. 

20 2. A method according to claim 1, further comprising 

the step of: 

requesting access to said electronic service before 
said challenge code is received, wherein said challenge code 
is treinsmitted and received in response to said access 
25 request. 

3. A method according to claim 1, fxirther comprising 
the steps of: 

storing one or more received challenge codes in said 
personal unit; and 
30 requesting access to said electronic service after 

said challenge code is received and stored, wherein said 
algorithm uses at least one of said stored challenge codes and 
a user input as variables in generating a response code. 
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.4.. A method according to claim 1, further comprising 

the steps of: 

receiving said user input through a keypad. 

5. A method according to claim 1, further comprising 

the steps of : 

receiving said user 'input through a handwriting 

recognition device. 

6. A personal xinit comprising: 

a receiver for receiving a challenge code; 

an input means for inputting a user input; 

a response code generating means, operatively 
connected to said receiver and said input means, for genera- 
ting a response code in accordance with a received challenge 

code and a user input; 

an output means for generating an output code 
suitable for input to a terminal connected to an external 
electronic service, said personal unit being physically 
separate from said terminal and said terminal being, at the 
location of the user. 

7. A personal unit according to claim 6, wherein said 
receiver includes a radio wave receiver. 

8. A personal unit according to claim 7, wherein said 
receiver includes conventional pager circuitry. 

9. A personal unit according to claim 6, wherein said 
user input is a personal identification number. 

10. A personal unit according to claim 6, wherein said 
input means includes a keypad. 

11. A personal unit according to claim 6, wherein said 
input means includes a character recognition device. 
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:12.. /A personal "unit .according ±o '.claiin ^.6 , -wherein said 
^output :ineans iincludes ^a display. 

13.. .A personal unit according to claim 6, wherein said 
output means includes an acoustic generator. 

14 . A personal unit according to claim 13 , wherein said 
acoustic generator includes a dual tone multi-frequency 
generator . 

15. A personal unit according to claim 6, wherein said 
output means includes an optical generator. 

16. A personal unit according to claim 15, wherein said 
optical generator includes at least one of a infrared genera- 
tor, a visible light generator, and a ultraviolet light, 
generator. 

17. A personal unit according to claim 6, wherein said 
output means includes at least one electrically inductive 
coupler. 

18 . A personal unit accordiiig to claim 17 , wherein said 
at least one electrically inductive coupler includes at least 
one induction coils. 

19. A personal unit according to claim 6, wherein said 
output means includes a radio transmitter. 

20. A personal xinit according to claim 6, wherein said 
response code generator means calculates a response code in 
accordance with an algorithm wherein said received challenge 
code, said^user input and a secret key stored in said personal 
unit are variables in the algorithm. 

21. A system comprising: 
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a personal -.unit for receiving a challenge ^code, ;f or 
receiving a user input, and generating ra response .code 
according to a received challenge code and a user input; 

a terminal operatively connected to ran authen- 
tication center, said terminal being capable of receiving said 
response code and being physically separate. from said personal 
unit; and 

a network for sending said challenge code when 
-access to a service is attempted, and for receiving said 
response code from said personal unit, said network further 
comprising 

comparing means for comparing said response 
code generated by said personal unit to an expected response 
code and 

- permitting means for permitting access to said 
service only when a result of said comparison of said response 
code generated by said personal unit to said expected response 
code is acceptEible. 

22 . A system according to claim 21, wherein said network 
comprises: 

a service access network for transmitting a request 

to access a service; 

an authentication challenge network, operatively 

connected to said authentication center, for transmitting 
said challenge code to said personal unit, 
said system further comprising: 

at least one service node for providing a service 
including exchanging service data with a user through said 
service access network and for receiving said request to 
access a service causing the authentication center to generate 
a challenge code in response to said request to access a 
service. 
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;23.. ;a system according to claiiii:22 , -wherein '.said service 
-access .network further comprises .means for transmitting said 
:response code to said comparing means. 

24, A system according to claim 22, wherein said- 
authentication challenge network further comprises means for 
transmitting said response code ;to said comparing means. 

25- A system according to claim 23, wherein said 
comparing means is located in said authentication center. 

26. A system according to claim 24, wherein said 
comparing means is located in said authentication center. 

27. A system according to claim 23, wherein said 
comparing means is located in said at least one service node. 

28. A system according to claim 24, wherein said 
comparing means is located in said at least one service node. 

29. A system according to claim 21, wherein said 
response code is generated according to an algorithm stored in 
said personal unit. 

30. A system according to claim 22, wherein said service 
access network includes a land-line telephone system. 

31. A system according to claim 22 , wherein said service 
node offers one or more services selected from the following 
group of services: banking services, credit card services, 
automatic teller machine services, account information 
services, general information services, security services, 
and long distance telephone services. 
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32. A ^system .according to -.cl-aim :Z2,., wherein :sald 
aut±ientication challenge network .Includes ;a :radio transmii:- 
'ter. 

. .33. A system according to claim 22, wherein said 
authentication challenge network includes a cellular tele- 
phone network. 

34. A system, according to claim 22, wherein said 
authentication challenge network includes a pager network. 

35. A system according to claim 22, wherein said 
personal unit includes a response code generator means. 

36. A system according to claim 29, wherein said 
response code generator means generates said response code 
according to said received challenge code, said user input and 
a secret key stored in said personal unit. 
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